In Keycloak 23+ the issuer is validated when making a refresh_token request, this validation is based on dynamic hostname resolution in Keycloak itself. This prevents Identity from refreshing a token because the token retrieved by Identity contains an the public Keycloak URL as the issuer. When Identity tries to refresh the authentication token the request is made via the backend, this means that the hostname is dynamically resolved to the internal/container name, ultimately causes the issuers to not match and the request to fail.
Related issues
https://jira.camunda.com/browse/SUPPORT-21543 https://jira.camunda.com/browse/SUPPORT-22059
Issue
In Keycloak 23+ the issuer is validated when making a refresh_token request, this validation is based on dynamic hostname resolution in Keycloak itself. This prevents Identity from refreshing a token because the token retrieved by Identity contains an the public Keycloak URL as the issuer. When Identity tries to refresh the authentication token the request is made via the backend, this means that the hostname is dynamically resolved to the internal/container name, ultimately causes the issuers to not match and the request to fail.
There is a known limitation and issue in Keycloaks current approach regarding different request hosts (frontchannel/backchannel) https://github.com/keycloak/keycloak/issues/27660.
Possible remediation
I've investigated this issue and believe that the most reasonable resolution is:
configuration.getIssuer()
)camunda-platform-local
repo to include a Core DNS rewrite:robot: This issue is automatically synced from: source